HIPAA – Is your Compliance Program Intact?
The ADA Guide to HIPAA Compliance is a 3-inch binder loaded with fill-in-the-blank templates and information that is overwhelming to the average dental office. Although it is a good starting point for some and a valuable resource for others, the task of interpreting, translating and implementing it are monumental.
Having a manual with templates filled in doesn’t mean you are HIPAA compliant. While 100-percent compliance probably isn’t realistic, it seems HIPAA auditors are looking for “visibly demonstrable evidence” or VDE. Making a good effort and documenting that effort can go a long way toward decreasing what could potentially be well more than $1.5 million in fines.
You or your staff must take time to review your current HIPAA policies, procedures and manuals. Incorporate the recent changes and make adjustments or modifications to include the new, enhanced privacy protections the Department of Health and Human Services recently updated with the Omnibus Rules.
HIPAA’s final Omnibus Rule includes new rights and strengthens the government’s ability to enforce the law.
With respect to Notice of Privacy Practices, one change is to include a patient’s right to restrict disclosures to insurers if services were paid in full, as well as a patient’s right to receive an electronic copy of electronic PHI. My suggestion is to review your provider contracts with respect to this. A patient may ask you not to submit a claim which could be in direct contradiction to your participating provider agreement, that may dictate you submit a claim for any service provided to the patient covered, non-covered or even when the patient has exceeded their maximum allowance for the year.
The updates also expanded the requirements of business associates. Any non-employee that receives, maintains, transmits or creates PHI is considered a business associate. That should include IT professionals, software companies and vendors, accountants, bookkeepers, training companies, consultants, etc. Virtually anyone that has access to the practice’s PHI may be considered a business associate. For example, the NJDA has signed a Business Associate Agreement in which NJDA agrees to safeguard protected health information presented by any member or member practice to the Association in the course of business.
“According to one resource, 30-70% of security and privacy breaches involve a business associate.”
In the past, practices simply obtained a Business Associate Agreement (BAA) from their associates with the understanding that the associate safeguarded PHI. These business (non-employees) are held to the same standard as covered entities (dental practices), including the risk of penalties and fines. Do you have confidence in your business associates? Do you have an updated Business Associate Agreement on file? If you do, have you verified that the agreement does not disclaim responsibility?
Your BAA must identify if the associate subcontracts with other individuals or groups. So for example, if your office contracts with an IT professional and the IT professional subcontracts a computer technician and a breach occurs, who is responsible? There is a snowball effect in determining which group is responsible and accountable for fines and penalties. It would probably be wise to ask if the business associate carries adequate liability insurance and perhaps even ask for their Security Risk Management Plan. (By the way, your office should have one as well!)
Security Risk Assessment
HIPAA’s general security rule addresses the confidentiality, integrity, and availability of electronic PHI. Risk assessments should be accurate and thorough. They should be updated. Recommendations for conducting risk assessments are available through the National Institute of Standards and Technology (NIST).
A suggested starting point is to identify your contacts (business associates) and any individuals that are authorized to make decisions. This can be you — the practice owner — your staff or privacy/security officer, your office manager/practice administrator, and IT contacts, perhaps your healthcare attorney and of course your State Dental Association. Next, identify and categorize information systems. You can’t secure information if you are not sure where it is saved. Start with any electronic devices you use in the office; the file server, workstations, external hard drives, flash drives, copiers, scanners, backup tapes, DVDs, and so forth. Any outdated or obsolete information stored on hard drives, outdated DVD’s, CD –Roms, etc., should be destroyed. Identify realistic threats and potential vulnerabilities. This could be human (theft, fraud, inadvertent data entry), environmental (floods, tornadoes, storms), technical, and non-technical threats. If you store this data offsite and/or use encryption you can minimize these risks. Again, whatever you do – document, document, document. Establish a work procedure and provide training for the entire workforce. Create and implement strong security policies such as no one shares log-ins and passwords.
Employees must be informed that the practice protects patients’ privacy; however, employee workstations and portable devices are subject to view, such as the systems audit trails. If the practice issues mobile phones, lap tops or tablets, implement a remote wipe utility to protect the PHI stored on the device, such as emails, texts, and photos, in the event the device is stolen or lost.
Your documentation needs to be thorough. Although employees must understand that security infractions result in discipline and possible termination of employment, you still need to develop and implement a sanction policy to formally address system misuse, abuse, and fraudulent activity. Again, document, document, document! Determine how your practice deactivates log-ins and passwords when an individual’s employment is terminated, regardless if termination is voluntary or involuntary. Include the topic of remote access and how such access is immediately deactivated when an employee/provider ceases employment, and again document it! Another suggestion, if your office uses a file server, physically safeguard that equipment. Some practices secure the file server to the floor with brackets; others use a locked file server closet or some other method of protecting the server from theft. Ask how you may encrypt the server when it is at rest. All this information needs to go into your HIPAA manual. If there is no documentation, then in the eyes of an auditor, it doesn’t exist.
Other physical safeguards might include an alarm system, secured windows, and prevention of unauthorized entry through a back door. If you practice in a professional building, make certain the dropped ceiling does not risk unauthorized access. If you can’t remedy that, document that you know it exists and propose a resolution even if it is unrealistic. Remember anyone who audits your practice is looking for VDE (visibly demonstrable evidence). Show you recognize the threat, propose a solution.
On the technical side of compliance, keep in mind that as of April, 2014, Windows no longer supports XP. Consult with your IT professional to find out if you are affected by this change.
Enable automatic logoff features. Find out if testing is necessary to ensure that the authentication system is working as prescribed. Encrypt emails that contain PHI. If emails are not encrypted and the patient requests the PHI via email, make sure they understand that there is a level of risk during transmission. Disclosure is very important. It allows the patient to make a decision based on the risks. Prepare in advance how the practice will handle a security incident, and again, document, document, document! This policy should be included in your breach notification process.
A breach is an “impermissible use or disclosure of PHI unless there is a low probability that the data has been compromised.” So, essentially the Omnibus Rule removed the “harm standard” in defining a reportable breach. This means the assessment is no longer based on harm to the patient or individual, but whether the information was compromised. Secured PHI is rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology such as encryption or destruction of data.
Numerous security experts reveal that the weak link in the HIPAA Compliance arena is a lack of a security risk assessment and a corresponding risk management plan.
As you re-evaluate your HIPAA Compliance Program and make appropriate adjustments and modifications, you will have a more realistic understanding of how secure or vulnerable your practice really is. Repeat the Risk Assessment periodically and make the needed modifications as needed. Be sure to document everything and review NJDA Monday Morning Emails for updates.
Return to www.njda.org.